mirror of
https://github.com/freedombox/FreedomBox.git
synced 2026-04-22 10:01:45 +00:00
5b969d9d30
The package license (AGPL3+) implicitly indicates the license of each file. However, it is desirable to have license headers in each file. This is the case for many prominent projects like GNU project, Mozilla etc.
114 lines
4.1 KiB
Bash
Executable File
114 lines
4.1 KiB
Bash
Executable File
#!/bin/sh
|
|
#
|
|
# This file is part of Plinth.
|
|
#
|
|
# This program is free software: you can redistribute it and/or modify
|
|
# it under the terms of the GNU Affero General Public License as
|
|
# published by the Free Software Foundation, either version 3 of the
|
|
# License, or (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU Affero General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU Affero General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
#
|
|
|
|
# Enable tracing to see the commands in
|
|
# /var/log/freedombox-first-run.log
|
|
set -x
|
|
|
|
# Setup interfaces into appropriate zones. XXX: This is ideally done
|
|
# by network configuration as network configuration tool/scripts have
|
|
# better idea of what the interfaces are. There should also be a UI in
|
|
# Plinth to classify each interface as external or internal.
|
|
|
|
# If more than one interfaces is available, assume eth0 is external
|
|
# and rest are internal interfaces.
|
|
INTERFACES=$(interface-detect | grep wired | grep -v lo | cut -f1 -d,)
|
|
NO_OF_INTERFACES=$(echo $INTERFACES | wc --words)
|
|
if [ $NO_OF_INTERFACES -gt '1' ]
|
|
then
|
|
for INTERFACE in $INTERFACES
|
|
do
|
|
if [ $INTERFACE = 'eth0' ]
|
|
then
|
|
ZONE='external'
|
|
else
|
|
ZONE='internal'
|
|
fi
|
|
|
|
firewall-cmd --zone=$ZONE --permanent --add-interface=$INTERFACE
|
|
done
|
|
fi
|
|
|
|
# If only one interface is available, assume it to be internal so that
|
|
# services are available on this only possible interface. This means
|
|
# that all services which are meant to available only internally will
|
|
# be available externally if the interface is publicly accessible.
|
|
# XXX: To avoid this, FreedomBox should configure at least two
|
|
# interfaces. If only one network hardware device is available, an
|
|
# alias such as 'eth0:1' could be created and can act as internal
|
|
# interface.
|
|
if [ $NO_OF_INTERFACES -eq '1' ]
|
|
then
|
|
firewall-cmd --zone=internal --permanent --add-interface="$INTERFACES"
|
|
fi
|
|
|
|
|
|
# Setup firewall rules for all the services enabled by default.
|
|
# Ideally all non-essential services are enabled from Plinth which
|
|
# automatically takes care of enabling appropirate firewall ports. The
|
|
# following is then for essential services and services that are not
|
|
# yet configurable from Plinth.
|
|
|
|
# HTTP (JWChat, ownCloud)
|
|
firewall-cmd --zone=external --permanent --add-service=http
|
|
firewall-cmd --zone=internal --permanent --add-service=http
|
|
|
|
# HTTPS (Plinth, JWChat, ownCloud)
|
|
firewall-cmd --zone=external --permanent --add-service=https
|
|
firewall-cmd --zone=internal --permanent --add-service=https
|
|
|
|
# Tor
|
|
firewall-cmd --zone=internal --permanent --add-service=tor-socks
|
|
|
|
# NTP
|
|
firewall-cmd --zone=internal --permanent --add-service=ntp
|
|
|
|
# DNS
|
|
firewall-cmd --zone=internal --permanent --add-service=dns
|
|
|
|
# mDNS
|
|
firewall-cmd --zone=internal --permanent --add-service=mdns
|
|
|
|
# DHCP
|
|
firewall-cmd --zone=internal --permanent --add-service=dhcp
|
|
|
|
# Bootp Server and Client (not enabled)
|
|
#firewall-cmd --zone=internal --permanent --add-port=67/tcp
|
|
#firewall-cmd --zone=internal --permanent --add-port=67/udp
|
|
#firewall-cmd --zone=internal --permanent --add-port=68/tcp
|
|
#firewall-cmd --zone=internal --permanent --add-port=68/udp
|
|
|
|
# LDAP (not enabled)
|
|
#firewall-cmd --zone=internal --permanent --add-service=ldap
|
|
#firewall-cmd --zone=internal --permanent --add-service=ldaps
|
|
|
|
# OpenVPN (not enabled)
|
|
#firewall-cmd --zone=external --permanent --add-service=openvpn
|
|
#firewall-cmd --zone=internal --permanent --add-service=openvpn
|
|
|
|
# Privoxy
|
|
firewall-cmd --zone=internal --permanent --add-service=privoxy
|
|
|
|
# XMPP
|
|
firewall-cmd --zone=external --permanent --add-service=xmpp-server
|
|
firewall-cmd --zone=internal --permanent --add-service=xmpp-server
|
|
firewall-cmd --zone=external --permanent --add-service=xmpp-client
|
|
firewall-cmd --zone=internal --permanent --add-service=xmpp-client
|
|
firewall-cmd --zone=external --permanent --add-service=xmpp-bosh
|
|
firewall-cmd --zone=internal --permanent --add-service=xmpp-bosh
|